Skip to content

Sandbox updates

Sandbox updates #552

Workflow file for this run

name: Build
on:
workflow_dispatch:
inputs:
ENVIRONMENT_NAME:
description: 'Environment Name'
required: true
default: Stokenet
type: choice
options:
- Stokenet
push:
branches:
- develop
- release/*
pull_request:
branches:
- develop
- release/**
release:
types: [published]
jobs:
snyk-scan-deps-licences:
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'radix-dapp-toolkit'
step_name: 'snyk-scan-deps-licenses'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Run Snyk to check for deps vulnerabilities
uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
with:
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical
snyk-scan-code:
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'radix-dapp-toolkit'
step_name: 'snyk-scan-code'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Run Snyk to check for code vulnerabilities
uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
with:
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high
command: code test
snyk-sbom:
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
needs:
- snyk-scan-deps-licences
- snyk-scan-code
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'radix-dapp-toolkit'
step_name: 'snyk-sbom'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Generate SBOM # check SBOM can be generated but nothing is done with it
uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
with:
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json
command: sbom
build:
runs-on: ubuntu-latest
needs:
- snyk-scan-deps-licences
- snyk-scan-code
outputs:
tag: ${{ steps.setup_tags.outputs.tag }}
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
- name: Setup tags for docker image
id: setup_tags
run: echo "tag=sha-$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
- name: Use Node.js
uses: actions/setup-node@7c29869aec4da703a571b27bcd84d4f15af0b56e
with:
node-version: '18.x'
- name: Authenticate with private NPM package
run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPMJS_TOKEN }}" > ~/.npmrc
- name: Install dependencies
run: npm ci
- name: Run tests
run: npm run test
- name: Build
run: npm run build
- name: Dump context
uses: crazy-max/ghaction-dump-context@v2
push-docker-image:
name: (PRIVATE) Docker AMD
needs:
- build
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
with:
runs_on: ubuntu-latest
image_registry: "docker.io"
image_organization: "radixdlt"
image_name: "private-radix-dapp-toolkit"
tag: ${{ needs.build.outputs.tag }}
tags: |
type=semver,pattern={{version}}
context: "./"
dockerfile: "./Dockerfile"
platforms: "linux/amd64"
scan_image: true
snyk_target_ref: ${{ github.ref_name }}
snyk-monitor:
runs-on: ubuntu-latest
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop')
needs:
- push-docker-image
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'radix-dapp-toolkit'
step_name: 'snyk-monitor'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Enable Snyk online monitoring to check for vulnerabilities
uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
with:
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }}
command: monitor
snyk-container-monitor:
runs-on: ubuntu-latest
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop')
needs:
- push-docker-image
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'radix-dapp-toolkit'
step_name: 'snyk-container-monitor'
dockerhub_secret_name: ${{ secrets.AWS_SECRET_NAME_DOCKERHUB }}
snyk_secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
snyk_org_id: ${{ secrets.SNYK_ORG_ID }}
image: docker.io/radixdlt/private-radix-dapp-toolkit:${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }}
target_ref: ${{ github.ref_name }}
deploy-pr:
if: ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest
needs:
- push-docker-image
permissions:
id-token: write
contents: read
pull-requests: read
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: unfor19/install-aws-cli-action@457b7980b125044247e455d87b9a26fc2299b787
with:
version: 2
- name: Setup helmfile and helm
uses: mamezou-tech/setup-helmfile@55ae2a66c5af4883148b7a50cc6ddc9b61042184
with:
helm-diff-plugin-version: 'v3.1.3'
helmfile-version: 'v0.144.0'
helm-version: 'v3.11.0'
install-kubectl: no
- name: Install kubectl
uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 #v3.2
with:
version: 'v1.25.6'
- name: Configure AWS credentials for deployment
uses: aws-actions/configure-aws-credentials@bab55d3830fe69833c9fecaa51fe2c829a7508f3
with:
role-to-assume: ${{ secrets.DEPLOY_PR_IAM_ROLE }}
aws-region: eu-west-2
- name: Deploy application
working-directory: deploy/helm
run: |
cat <<DOC > namespace.yaml
apiVersion: hnc.x-k8s.io/v1alpha2
kind: SubnamespaceAnchor
metadata:
name: radix-dapp-toolkit-pr-${{ github.event.number }}
namespace: radix-dapp-toolkit-ci-pr
DOC
aws eks update-kubeconfig --name ${{ secrets.CLUSTER_NAME }} \
--alias ${{ secrets.CLUSTER_NAME }} \
--region eu-west-2
kubectl apply -f namespace.yaml
helmfile --environment pr --namespace radix-dapp-toolkit-pr-${{ github.event.number }} \
--state-values-set "ci.tag=${{ env.CI_TAG }}" \
--state-values-set "ci.ingressDomain=${{ env.INGRESS_DOMAIN }}" \
apply
env:
CI_TAG: ${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }}
INGRESS_DOMAIN: radix-dapp-toolkit-pr-${{ github.event.number}}.${{ secrets.INGRESS_DOMAIN }}
HELM_GH_USER: ${{ secrets.HELM_GH_USER }}
HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }}
deploy-dev:
if: github.ref == 'refs/heads/develop' && github.event_name == 'push'
runs-on: ubuntu-latest
needs:
- push-docker-image
permissions:
id-token: write
contents: read
pull-requests: read
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: unfor19/install-aws-cli-action@457b7980b125044247e455d87b9a26fc2299b787
with:
version: 2
- name: Setup helmfile and helm
uses: mamezou-tech/setup-helmfile@55ae2a66c5af4883148b7a50cc6ddc9b61042184
with:
helm-diff-plugin-version: 'v3.1.3'
helmfile-version: 'v0.144.0'
helm-version: 'v3.11.0'
install-kubectl: no
- name: Install kubectl
uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 #v3.2
with:
version: 'v1.25.6'
- name: Configure AWS credentials for deployment
uses: aws-actions/configure-aws-credentials@bab55d3830fe69833c9fecaa51fe2c829a7508f3
with:
role-to-assume: ${{ secrets.DEPLOY_DEV_IAM_ROLE }}
aws-region: eu-west-2
- name: Deploy application
working-directory: deploy/helm
run: |
aws eks update-kubeconfig --name ${{ secrets.CLUSTER_NAME }} \
--alias ${{ secrets.CLUSTER_NAME }} \
--region eu-west-2
helmfile --environment dev --namespace radix-dapp-toolkit-dev \
--state-values-set "ci.tag=${{ env.CI_TAG }}" \
--state-values-set "ci.ingressDomain=${{ env.INGRESS_DOMAIN }}" \
apply
env:
CI_TAG: ${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }}
INGRESS_DOMAIN: radix-dapp-toolkit-dev.${{ secrets.INGRESS_DOMAIN }}
HELM_GH_USER: ${{ secrets.HELM_GH_USER }}
HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }}
deploy-release:
if: startsWith(github.ref_name,'release/')
runs-on: ubuntu-latest
needs:
- push-docker-image
permissions:
id-token: write
contents: read
pull-requests: read
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: unfor19/install-aws-cli-action@457b7980b125044247e455d87b9a26fc2299b787
with:
version: 2
- name: Setup helmfile and helm
uses: mamezou-tech/setup-helmfile@55ae2a66c5af4883148b7a50cc6ddc9b61042184
with:
helm-diff-plugin-version: 'v3.1.3'
helmfile-version: 'v0.144.0'
helm-version: 'v3.11.0'
install-kubectl: no
- name: Install kubectl
uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 #v3.2
with:
version: 'v1.25.6'
- name: Configure AWS credentials for deployment
uses: aws-actions/configure-aws-credentials@bab55d3830fe69833c9fecaa51fe2c829a7508f3
with:
role-to-assume: ${{ secrets.DEPLOY_RELEASES_IAM_ROLE }}
aws-region: eu-west-2
- name: Deploy application
working-directory: deploy/helm
run: |
aws eks update-kubeconfig --name ${{ secrets.CLUSTER_NAME }} \
--alias ${{ secrets.CLUSTER_NAME }} \
--region eu-west-2
BRANCH_NAME=${{ github.ref_name }}
NORMALIZED_BRANCH_NAME=${BRANCH_NAME/\//-}
cat <<DOC > subns-manifest.yaml
apiVersion: hnc.x-k8s.io/v1alpha2
kind: SubnamespaceAnchor
metadata:
name: radix-dapp-toolkit-$NORMALIZED_BRANCH_NAME
namespace: radix-dapp-toolkit-ci-releases
DOC
kubectl apply -f subns-manifest.yaml
helmfile --environment dev --namespace radix-dapp-toolkit-$NORMALIZED_BRANCH_NAME \
--state-values-set "ci.tag=${{ env.CI_TAG }}" \
--state-values-set "ci.ingressDomain=radix-dapp-toolkit-${NORMALIZED_BRANCH_NAME}.${{ env.INGRESS_DOMAIN }}" \
apply
env:
CI_TAG: ${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }}
INGRESS_DOMAIN: ${{ secrets.INGRESS_DOMAIN }}
HELM_GH_USER: ${{ secrets.HELM_GH_USER }}
HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }}
deploy-stokenet:
if: ( github.event.inputs.ENVIRONMENT_NAME == 'Stokenet' && github.event_name == 'workflow_dispatch' )
runs-on: ubuntu-latest
environment: stokenet
needs:
- push-docker-image
permissions:
id-token: write
contents: read
pull-requests: read
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: unfor19/install-aws-cli-action@457b7980b125044247e455d87b9a26fc2299b787
with:
version: 2
- name: Setup helmfile and helm
uses: mamezou-tech/setup-helmfile@55ae2a66c5af4883148b7a50cc6ddc9b61042184
with:
helm-diff-plugin-version: 'v3.1.3'
helmfile-version: 'v0.144.0'
helm-version: 'v3.11.0'
install-kubectl: no
- name: Install kubectl
uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 #v3.2
with:
version: 'v1.25.6'
- name: Configure AWS credentials for deployment
uses: aws-actions/configure-aws-credentials@bab55d3830fe69833c9fecaa51fe2c829a7508f3
with:
role-to-assume: ${{ secrets.DEPLOY_STOKENET_IAM_ROLE }}
aws-region: eu-west-2
- name: Deploy application
working-directory: deploy/helm
run: |
aws eks update-kubeconfig --name ${{ secrets.STOKENET_CLUSTER_NAME }} \
--alias ${{ secrets.STOKENET_CLUSTER_NAME }} \
--region eu-west-2
helmfile --environment stokenet --namespace radix-dapp-toolkit-stokenet \
--state-values-set "ci.tag=${{ env.CI_TAG }}" \
--state-values-set "ci.ingressDomain=${{ env.INGRESS_DOMAIN }}" \
apply
env:
CI_TAG: ${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }}
INGRESS_DOMAIN: ${{ secrets.STOKENET_INGRESS_DOMAIN }}
HELM_GH_USER: ${{ secrets.HELM_GH_USER }}
HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }}
deploy-mainnet:
if: github.event_name == 'release' && !github.event.release.prerelease
runs-on: ubuntu-latest
needs:
- push-docker-image
permissions:
id-token: write
contents: read
pull-requests: read
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: unfor19/install-aws-cli-action@457b7980b125044247e455d87b9a26fc2299b787
with:
version: 2
- name: Setup helmfile and helm
uses: mamezou-tech/setup-helmfile@55ae2a66c5af4883148b7a50cc6ddc9b61042184
with:
helm-diff-plugin-version: 'v3.1.3'
helmfile-version: 'v0.144.0'
helm-version: 'v3.11.0'
install-kubectl: no
- name: Install kubectl
uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 #v3.2
with:
version: 'v1.25.6'
- name: Configure AWS credentials for deployment
uses: aws-actions/configure-aws-credentials@bab55d3830fe69833c9fecaa51fe2c829a7508f3
with:
role-to-assume: ${{ secrets.DEPLOY_MAINNET_IAM_ROLE }}
aws-region: eu-west-2
- name: Deploy application
working-directory: deploy/helm
run: |
aws eks update-kubeconfig --name ${{ secrets.MAINNET_CLUSTER_NAME }} \
--alias ${{ secrets.MAINNET_CLUSTER_NAME }} \
--region eu-west-2
helmfile --environment mainnet --namespace radix-dapp-toolkit-mainnet \
--state-values-set "ci.tag=${{ env.CI_TAG }}" \
--state-values-set "ci.ingressDomain=${{ env.INGRESS_DOMAIN }}" \
apply
env:
CI_TAG: ${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }}
INGRESS_DOMAIN: ${{ secrets.MAINNET_INGRESS_DOMAIN }}
HELM_GH_USER: ${{ secrets.HELM_GH_USER }}
HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }}